On the heels of growing public awareness of how “large Web companies are learning more about people than ever from what they search for and do on the Internet, gathering clues about the tastes and preferences of a typical user several hundred times a month,” a New York legislator has drafted a bill seeking to limit how Internet companies collect information about people online and use it for targeted advertising.
According to The Times, the bill “would make it a crime… for certain Web companies to use personal information about consumers for advertising without their consent.” Looking at the actual text of the bill, it unfortunately isn’t quite that sweeping or clear cut. Much of the proposed law is based on providing users the ability to opt-out of targeted advertising. For example:
5. Third party entities that collect or use non-personally identifiable information online for online preference marketing shall post clear and conspicuous notice on its website about its data collection and use practices, and each shall give consumers an opportunity to opt-out of online preference marketing.
Opt-out will always be a weaker form of consumer protection compared to requiring users to specifically opt-in to having their activities tracked. This merely maintains the standard (U.S.) practice of allowing companies to surveill and monetize user activities as the default, making it the exception if a person seeks privacy protection. (For general comparison to E.U. privacy protections, see my essay “Privacy Protection in the Network Society: “Trading Up” or a “Race to the Bottom”?”)
Additional concern with this language is the interpretation of “clear and conspicuous notice.” Would providing this notice in a website’s terms of service suffice? Even if links to the TOS aren’t visible on the typical pages users view? (For example, Google’s TOS is found only if you click on “About Google” from its homepage or a search results page)
The bill is a bit stronger when it comes to the practice of linking generally anonymous information with personalized information, such as a name or e-mail address. For example:
14. (a) Notwithstanding subdivision four of this section, third party entities shall not merge personally identifiable information with information previously collected as non-personally identifiable information, without the consumer’s prior affirmative consent to any such merger.
While requiring affirmative consent is preferred to an opt-out regime, I worry that this consent could be similarly buried in a site’s terms of service, which users tacitly “accept” when the service is used. Google’s TOS states, for example, that users accept their terms “by actually using the Services.” No prior consent is required — if you perform a Google search, you automatically have agreed to the TOS (even if that TOS isn’t even visible from the search results page).
The bill is strongest, however, in relation to a demand I have long made on Web search providers: let me see the data you have collected about my actions. The bill states:
17. Business entities shall provide consumers with reasonable access to personally identifiable information and other information that is associated with personally identifiable information retained by the third party entity for online preference marketing uses
The press seems to have missed the importance of this section. If passed, the law would require Google, Facebook, DoubleClick, etc to provide me access to the personally identifiable information “and other information that is associated” with my user account stored in their databases.
This is a vital right for consumers to be able to protect their data privacy: having access to view your data is the first step towards regaining some control over the collection of the data in the first place.